summaryrefslogtreecommitdiffstats
path: root/ipapython/ipaldap.py
Commit message (Collapse)AuthorAgeFilesLines
* Allow insecure binds for migrationChristian Heimes2019-08-131-3/+5
| | | | | | | | | | | | | | Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind over an insecure connection. Password logins were only allowed over LDAPS or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases. This commit lifts the restriction and permits insecure binds over plain LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA certificate is configured with a plain LDAP connection. Fixes: https://pagure.io/freeipa/issue/8040 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
* Revert "Require a minimum SASL security factor of 56"Alexander Bokovoy2019-05-021-15/+2
| | | | | | | | | | | | | | | | | | This reverts commit 350954589774499d99bf87cb5631c664bb0707c4. We cannot force increase in minimum SASL security factor until our consumers are ready to deal with it. Unfortunately, realmd uses anonymous connection for discovery and validation of IPA LDAP server. The way it is done is fragile (it doesn't take into account an advertised IPA version, only checks that 'IPA' string exists in the info field) but since bumping of minimum SSF prevents reading IPA info field using anonymous connection, client enrollment fails. We should get back to bumping minimum SSF after realmd and other potential consumers are fixed. Reviewed-By: François Cami <fcami@redhat.com>
* Require a minimum SASL security factor of 56Christian Heimes2019-04-031-2/+15
| | | | | | | | | | | | | | SSF_MINX 56 level ensures data integrity and confidentiality for SASL GSSAPI and SASL GSS SPNEGO connections. Although at least AES128 is enforced pretty much everywhere, 56 is required for backwards compatibility with systems that announce wrong SSF. Related: https://pagure.io/freeipa/issue/7140 Related: https://pagure.io/freeipa/issue/4580 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
* Add constructors to ldap clientChristian Heimes2019-02-051-12/+59
| | | | | | | | | | | | | | | Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and LDAPClient.from_hostname_plain() constructors. The simple_bind() method now also refuses to transmit a password over a plain, unencrypted line. LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert by default. The constructor also automatically disables start_tls for ldaps and ldapi connections. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move realm_to_serverid/ldap_uri to ipaldapChristian Heimes2019-02-051-0/+14
| | | | | | | | | The helper function realm_to_serverid() and realm_to_ldap_uri() are useful outside the server installation framework. They are now in ipapython.ipaldap along other helpers for LDAP handling in FreeIPA. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaldap.py: fix method creating a ldap filter for IPACertificateFlorence Blanc-Renaud2018-11-271-0/+3
| | | | | | | | | | | | | | | | ipa user-find --certificate and ipa host-find --certificate fail to return matching entries, because the method transforming the attribute into a LDAP filter does not properly handle IPACertificate objects. Directory Server logs show a filter with (usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>) When the attribute contains a cryptography.x509.Certificate, the method needs to extract the public bytes instead of calling str(value). Fixes https://pagure.io/freeipa/issue/7770 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipaldap: avoid invalid modlist when attribute encoding differsFraser Tweedale2018-11-061-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ipaldap does not take into account the possibility of the attribute encoding returned by python-ldap differing from the attribute encoding produced by FreeIPA. In particular this can occur with DNs with special characters that require escaping. For example, python-ldap (or the underlying LDAP library) escapes special characters using hex encoding: CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU Whereas FreeIPA, when encoding the DN, escapes the character directly: CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU Therefore it is possible to generate an invalid modlist. For example, during external CA certificate renewal, if the issuer DN includes a comma in one of the attribute values (as above), an invalid modlist will be generated: [ (ldap.MOD_ADD, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU']) , (ldap.MOD_DELETE, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU']) ] Although encoded differently, these are the same value. If this modification is applied to the object, attributeOrValueExists (error 20) occurs. To avoid the issue, put deletes before adds in the modlist. If a value is present (with different encodings) as both an addition and a deletion, it must be because the original object contained the value with a different encoding. Therefore it is safe to delete it, then add it back. Note that the modlist is not optimal. In the simplest case (like above example), there should be no modification to perform. It is considerably more complex (and more computation) to implement this because the raw attribute values must be decoded before comparison. Fixes: https://pagure.io/freeipa/issue/7750 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Py3: Replace six.moves importsChristian Heimes2018-10-051-4/+1
| | | | | | | | | | | | Replace six.moves and six.StringIO/BytesIO imports with cannonical Python 3 packages. Note: six.moves.input behaves differently than builtin input function. Therefore I left six.moves.input for now. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Py3: Replace six.text_type with strChristian Heimes2018-09-271-2/+2
| | | | | | | | On Python 3, six.text_type (singular) is an alias for str. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Py3: Replace six.integer_types with intChristian Heimes2018-09-271-2/+1
| | | | | | | | | | In Python 3, six.integer_types is (int,). In most places, the alias can be simply replaced with int. In other places, it was possible to simplify the code by unpacking the tuple. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Py3: Replace six.string_types with strChristian Heimes2018-09-271-1/+1
| | | | | | | | In Python 3, six.string_types is just an alias for str. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Py3: Remove subclassing from objectChristian Heimes2018-09-271-3/+3
| | | | | | | | | Python 2 had old style and new style classes. Python 3 has only new style classes. There is no point to subclass from object any more. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Fix Pylint 2.0 violationsArmando Neto2018-07-141-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the following violations aiming to support Pylint 2.0 - `unneeded-not` (C0113): Consider changing "not item in items" to "item not in items" used when a boolean expression contains an unneeded negation. - `useless-import-alias` (C0414): Import alias does not rename original package Used when an import alias is same as original package.e.g using import numpy as numpy instead of import numpy as np - `raising-format-tuple` (W0715): Exception arguments suggest string formatting might be intended Used when passing multiple arguments to an exception constructor, the first of them a string literal containing what appears to be placeholders intended for formatting - `bad-continuation` (C0330): This was already included on the disable list, although with current version of pylint (2.0.0.dev2) violations at the end of the files are not being ignored. See: https://github.com/PyCQA/pylint/issues/2278 - `try-except-raise` (E0705): The except handler raises immediately Used when an except handler uses raise as its first or only operator. This is useless because it raises back the exception immediately. Remove the raise operator or the entire try-except-raise block! - `consider-using-set-comprehension` (R1718): Consider using a set comprehension Although there is nothing syntactically wrong with this code, it is hard to read and can be simplified to a set comprehension.Also it is faster since you don't need to create another transient list - `dict-keys-not-iterating` (W1655): dict.keys referenced when not iterating Used when dict.keys is referenced in a non-iterating context (returns an iterator in Python 3) - `comprehension-escape` (W1662): Using a variable that was bound inside a comprehension Emitted when using a variable, that was bound in a comprehension handler, outside of the comprehension itself. On Python 3 these variables will be deleted outside of the comprehension. Issue: https://pagure.io/freeipa/issue/7614 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Handle races in replica configChristian Heimes2018-07-121-0/+5
| | | | | | | | | | | | | | | When multiple replicas are installed in parallel, two replicas may try to create the cn=replica entry at the same time. This leads to a conflict on one of the replicas. replica_config() and ensure_replication_managers() now handle conflicts. ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or value exists exception is raised, when an attribute value or type is already set. Fixes: https://pagure.io/freeipa/issue/7566 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Import ABCs from collections.abcChristian Heimes2018-07-051-3/+9
| | | | | | | | | | | | | Python 3 has moved all collection abstract base classes to collections.abc. Python 3.7 started to deprecate the old aliases. The whole import block needs to be protected with import-error and no-name-in-module, because Python 2 doesn't have collections.abc module and collections.abc.Mapping, while Python 3 doesn't have collections.Mapping. Fixes: https://pagure.io/freeipa/issue/7609 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Use sane default settings for ldap connectionsChristian Heimes2018-05-291-18/+27
| | | | | | | | | | LDAP connections no longer depend on sane settings in global ldap.conf and use good default settings for cert validation, CA, and SASL canonization. https://pagure.io/freeipa/issue/7418 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* pylint3: workaround false positives reported for W1662Alexander Bokovoy2018-05-171-1/+1
| | | | | | | | | | | | | | | | | | | | Pylint3 falsely reports warning W1662: using a variable that was bound inside a comprehension for the cases where the same name is reused for a loop after the comprehension in question. Rename the variable in a loop to avoid it. If the code looks like the following: arr = [f for f in filters if callable(f)] for f in arr: result = result + f() pylint3 would consider 'f' used outside of comprehension. Clearly, this is a false-positive warning as the second 'f' use is completely independent of the comprehension's use of 'f'. Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
* Unified ldap_initialize() functionChristian Heimes2018-02-151-7/+29
| | | | | | | | | | | Replace all ldap.initialize() calls with a helper function ldap_initialize(). It handles cacert and cert validation correctly. It also provides a unique place to handle python-ldap 3.0 bytes warnings in the future. Fixes: https://pagure.io/freeipa/issue/7411 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipaldap: allow GetEffectiveRights on individual operationsFraser Tweedale2018-02-091-16/+35
| | | | | | | | | | Allow caller to specify that the GetEffectiveRights server control should be used on a per-operation basis. Also update ldap2.get_effective_rights to use this new API. Part of: https://pagure.io/freeipa/issue/6609 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Require python-ldap 3.0.0b2Christian Heimes2017-12-191-8/+2
| | | | | | | | Use new LDAPBytesWarning to ignore python-ldap's bytes warnings. New build is available in @freeipa/freeipa-master. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
* Update to python-ldap 3.0.0Christian Heimes2017-12-061-0/+15
| | | | | | | | | Replace python3-pyldap with python3-ldap. Remove some old code for compatibility with very old python-ldap. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* pylint: disable __hash__ for some classesStanislav Laznicka2017-09-081-0/+2
| | | | | | | | | | pylint requires all classes implementing __eq__ to also implement __hash__. We disable hashing for the classes that miss the ability, should they ever be required to use it, it can be implemented then. https://pagure.io/freeipa/issue/6874 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Create a Certificate parameterStanislav Laznicka2017-07-271-3/+13
| | | | | | | | | | | | | | | | | | | | | | | | | Up until now, Bytes parameter was used for certificate parameters throughout the framework. However, the Bytes parameter does nothing special for certificates, like validation, so this had to be done for each of the parameters which were supposed to represent a certificate. This commit introduces a special Certificate parameter which takes care of certificate validation so this does not have to be done separately. It also makes sure that the certificates represented by this parameter are always converted to DER format so that we can work with them in a unified manner throughout the framework. This commit also makes it possible to pass bytes directly during instantiation of the Certificate parameter and they are still represented correctly after their conversion in the _convert_scalar() method. https://pagure.io/freeipa/issue/4985 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* logging: remove object-specific loggersJan Cholasta2017-07-141-16/+15
| | | | | | | | | | Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com>
* ldap2: remove URI argument from ldap2 constructorJan Cholasta2017-07-041-9/+10
| | | | | | | | LDAPClient should be used for ad-hoc connections, so the argument is not necessary, and currently also unused. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: ipaldap: fix encoding of datetime objectsMartin Basti2017-06-211-1/+1
| | | | | | | | datetime objects were converted to string instead fo bytes. https://pagure.io/freeipa/issue/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* py3: LDAPClient: remove __del__ methodMartin Basti2017-06-211-3/+0
| | | | | | | | | | | | | | | in py3 we are receiving ugly tracebacks due __del__ method that should be used very carefully or never. Due tracebacks, this doesn't work and context manager should be used for reliable connection termination. Exception ignored in: <bound method LDAPClient.__del__ of ipaserver.plugins.ldap2.ldap2()> Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/ipapython/ipaldap.py", line 1057, in __del__ File "/usr/lib/python3.5/site-packages/ipaserver/plugins/ldap2.py", line 123, in close File "/usr/lib/python3.5/site-packages/ipalib/backend.py", line 94, in isconnected NameError: name 'hasattr' is not defined Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* LDAPEntry: rename _orig to _orig_rawMartin Basti2017-06-211-8/+9
| | | | | | | | | | It was hard to detect what is supposed to be in self._orig variable. Renaming to _orig_raw makes clear for future generations that it contains bytes. https://pagure.io/freeipa/issue/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* py3: ipaldap: encode Boolean as bytesMartin Basti2017-06-011-2/+2
| | | | | | | | | Python LDAP requires bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* pylint_plugins: add forbidden import checkerJan Cholasta2017-03-101-0/+2
| | | | | | | | | | Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use GSS-SPNEGO if connecting locallySimo Sorce2017-03-071-1/+5
| | | | | | | | | | | | | | | | | | | | | GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incompatible services, and it is ok for us as we are only really looking for speedups for the local short-lived connections performed by the framework. Most other clients have longer lived connections, so peformance improvements there are not as important. Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* py3: modify_s: attribute name must be str not bytesMartin Basti2017-02-101-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: preserve order of values in LDAPEntry._sync()Jan Cholasta2017-02-091-2/+2
| | | | | | | | | | In Python 2, the order was preserved by accident. This change makes sure the order is preserved in both Python 2 and 3. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* py3: get_memberofindirect: fix ByteWarningsMartin Basti2017-02-081-2/+4
| | | | | | | | DN must be converted to bytes as other variables adn lists contain bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* py3: ipaldap: properly encode DNSName to bytesMartin Basti2017-02-081-1/+1
| | | | | | | | | | The encode method of LDAPClient didn't return DNSName as bytes but string in py3. In py2 it returns non-unicode string so it can be encoded safely by ascii as to_text() method returns only ascii characters. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use dict comprehensionMartin Basti2017-01-311-1/+3
| | | | Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: ipaldap: update encode/decode methodsMartin Basti2017-01-311-34/+7
| | | | | | | | | | | Update encoding/decoding accordingly to work under Py3 Removing functions that were used only once in code and give no real improvements https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: make_filter_from_attr: use string instead of bytesMartin Basti2017-01-241-1/+2
| | | | | | | | | | Method escape_filter_chars() requires string as parameter instead of bytes. 'value_to_utf8' returns bytes thus this code has to be removed. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: ldap modlist must have keys as string, not bytesMartin Basti2017-01-241-1/+2
| | | | | | | https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: properly escape raw binary values in LDAP filtersJan Cholasta2017-01-241-3/+6
| | | | | | | | | | | Manually escape each byte in the value, do not use ldap.filter.escape_filter_chars() as it does not work with bytes in Python 3. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Make get_entries() not ignore its limit argumentsStanislav Laznicka2016-12-061-1/+2
| | | | | | | | | | | get_entries() wouldn't pass some arguments deeper to find_entries() function it wraps. This would cause unexpected behavior in some cases throughout the framework where specific (non-)limitations are expected. https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix Python 3 bugs discovered by pylintChristian Heimes2016-11-251-1/+4
| | | | | | | | | | | | In Python 3 exception instances no longer have a message attribute. For most exceptions, str(e) or string formatting give the same result. Fix some renamed modules, module members and functions. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix ipa migrate-ds when it finds a search referenceFlorence Blanc-Renaud2016-11-171-8/+4
| | | | | | | | | | | | | | | | | | | | When ipa migrate-ds finds user entries and a search reference, it complains that the LDAP search did not return any result and does not migrate the entries or the groups. The issue comes from LDAPClient._convert_result which returns an empty result list when the input is a search reference. In turn LDAPClient.find_entries assumes that the empty result list corresponds to a Search Result Done and returns without any entry. The fix examines first the objtype returned by self.conn.result3. If it is a search result done, then the loop can be exited. Otherwise (referral or entry), _convert_result is called and the result (if not empty) is appended to the list of returned entries. https://fedorahosted.org/freeipa/ticket/6358 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: remove do_bind from LDAPClientTomas Krizek2016-11-101-20/+0
| | | | | | | | | Remove do_bind() method that was a relict used in IPAdmin. Replace its uses with simple / external binds. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: merge IPAdmin to LDAPClientTomas Krizek2016-11-071-90/+63
| | | | | | | | | | | | | | | | * move IPAdmin methods to LDAPClient * add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__() * add host, port, _protocol to LDAPClient (parsed from ldap_uri) * create get_ldap_uri() method to create ldap_uri from former IPAdmin.__init__() arguments * replace IPAdmin with LDAPClient + get_ldap_uri() * remove ununsed function argument hostname from enable_replication_version_checking() https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge gssapi_bind to LDAPClientTomas Krizek2016-11-071-4/+1
| | | | | | | | | * Rename do_sasl_gssapi_bind to gssapi_bind https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge external_bind into LDAPClientTomas Krizek2016-11-071-7/+3
| | | | | | | | | | | * Rename do_external_bind to external_bind * Remove user_name argument in external_bind() and always set it to effective user name https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge simple_bind into LDAPClientTomas Krizek2016-11-071-7/+4
| | | | | | | | | | | | * Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind * Rename binddn to bind_dn * Rename bindpw to bind_password * Explicitly specify bind_dn in all calls https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: remove wait/timeout during bindsTomas Krizek2016-11-071-38/+12
| | | | | | | | | | Testing whether it is possible to connect to directory server is already done in RedHatDirectoryService.restart(). https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* do not use keys() method when iterating through dictionariesMartin Babinsky2016-10-121-1/+1
| | | | | | | | | pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when building FreeIPA, we have to fix these errors https://fedorahosted.org/freeipa/ticket/6391 Reviewed-By: Martin Basti <mbasti@redhat.com>